Qiben Yan

Vulnerability and protection for distributed consensus-based spectrum sensing in cognitive radio networks

Cooperative spectrum sensing is key to the success of cognitive radio networks. Recently, fully distributed cooperative spectrum sensing has been proposed for its high performance benefits particularly in cognitive radio ad hoc networks. However, the cooperative and fully distributed natures of such protocol make it highly vulnerable to malicious attacks, and make the defense very difficult. In this paper, we analyze the vulnerabilities of distributed sensing architecture based on a representative distributed consensus-based spectrum sensing algorithm. We find that such distributed algorithm is particularly vulnerable to a novel form of attack called covert adaptive data injection attack. The vulnerabilities are even magnified under multiple colluding attackers. We further propose effective protection mechanisms, which include a robust distributed outlier detection scheme with adaptive local threshold to thwart the covert adaptive data injection attack, and a hash-based computation verification approach to cope with collusion attacks. Through simulation and analysis, we demonstrate the destructive power of the attacks, and validate the efficacy and efficiency of our proposed protection mechanisms.

Throughput Analysis of Cooperative Mobile Content Distribution in Vehicular Network using Symbol Level Network Coding

This paper presents a theoretical study of the throughput of mobile content distribution (MCD) in vehicular ad hoc networks (VANETs). Since VANET is well-known for its fast-changing topology and adverse wireless channel environments, various protocols have been proposed in the literature to enhance the performance of MCD in a vehicular environment, using packet-level network coding (PLNC) and symbol-level network coding (SLNC). However, there still lacks a fundamental understanding of the limits of MCD protocols using network coding in VANETs. In this paper, we develop a theoretical model to compute the achievable throughput of cooperative MCD in VANETs using SLNC. By considering a one-dimensional road topology with an access point (AP) as the content source, the expected achievable throughput for a vehicle at a certain distance from the AP is derived, for both using PLNC and SLNC. Our proposed model is unique since it captures the effects of multiple practical factors, including vehicle distribution and mobility pattern, channel fading and packet collisions. Through numerical results, we provide insights on optimized design choices for network coding-based cooperative MCD systems in VANETs.

Android Malware Detection

The alarming growth rate of malicious apps has become a serious issue that sets back the prosperous mobile ecosystem. A recent report indicates that a new malicious app for Android is introduced every 10 s. To combat this serious malware campaign, we need a scalable malware detection approach that can effectively and efficiently identify malware apps. Numerous malware detection tools have been developed, including system-level and network-level approaches. However, scaling the detection for a large bundle of apps remains a challenging task. In this paper, we introduce Significant Permission IDentification (SigPID), a malware detection system based on permission usage analysis to cope with the rapid increase in the number of Android malware. Instead of extracting and analyzing all Android permissions, we develop three levels of pruning by mining the permission data to identify the most significant permissions that can be effective in distinguishing between benign and malicious apps. SigPID then utilizes machine-learning-based classification methods to classify different families of malware and benign apps. Our evaluation finds that only 22 permissions are significant. We then compare the performance of our approach, using only 22 permissions, against a baseline approach that analyzes all permissions. The results indicate that when a support vector machine is used as the classifier, we can achieve over 90% of precision, recall, accuracy, and F-measure, which are about the same as those produced by the baseline approach while incurring the analysis times that are 4–32 times less than those of using all permissions. Compared against other state-of-the-art approaches, SigPID is more effective by detecting 93.62% of malware in the dataset and 91.4% unknown/new malware samples.

Proximity-Based Security Techniques for Mobile Users in Wireless Networks

In this paper, we propose a privacy-preserving proximity-based security system for location-based services in wireless networks, without requiring any pre-shared secret, trusted authority, or public key infrastructure. In this system, the proximity-based authentication and session key establishment are implemented based on spatial temporal location tags. Incorporating the unique physical features of the signals sent from multiple ambient radio sources, the location tags cannot be easily forged by attackers. More specifically, each radio client builds a public location tag according to the received signal strength indicators, sequence numbers, and media access control (MAC) addresses of the ambient packets. Each client also keeps a secret location tag that consists of the packet arrival time information to generate the session keys. As clients never disclose their secret location tags, this system is robust against eavesdroppers and spoofers outside the proximity range. The system improves the authentication accuracy by introducing a nonparametric Bayesian method called infinite Gaussian mixture model in the proximity test and provides flexible proximity range control by taking into account multiple physical-layer features of various ambient radio sources. Moreover, the session key establishment strategy significantly increases the key generation rate by exploiting the packet arrival time of the ambient signals. The authentication accuracy and key generation rate are evaluated via experiments using laptops in typical indoor environments.

MIMO-based jamming resilient communication in wireless networks

Reactive jamming is considered the most powerful jamming attack as the attack efficiency is maximized while the risk of being detected is minimized. Currently, there are no effective anti-jamming solutions to secure OFDM wireless communications under reactive jamming attack. On the other hand, MIMO has emerged as a technology of great research interest in recent years mostly due to its capacity gain. In this paper, we explore the use of MIMO technology for jamming resilient OFDM communication, especially its capability to communicate against the powerful reactive jammer. We first investigate the jamming strategies and their impacts on the OFDM-MIMO receivers. We then present a MIMO-based anti-jamming scheme that exploits interference cancellation and transmit precoding capabilities of MIMO technology to turn a jammed non-connectivity scenario into an operational network. Our testbed evaluation shows the destructive power of reactive jamming attack, and also validates the efficacy and efficiency of our defense mechanisms.

Jamming Resilient Communication Using MIMO Interference Cancellation

Jamming attack is a serious threat to the wireless communications. Reactive jamming maximizes the attack efficiency by jamming only when the targets are communicating, which can be readily implemented using software-defined radios. In this paper, we explore the use of the multi-input multi-output (MIMO) technology to achieve jamming resilient orthogonal frequency-division multiplexing (OFDM) communication. In particular, MIMO interference cancellation treats jamming signals as noise and strategically cancels them out, while transmit precoding adjusts the signal directions to optimize the decoding performance. We first investigate the reactive jamming strategies and their impacts on the MIMO-OFDM receivers. We then present a MIMO-based anti-jamming scheme that exploits MIMO interference cancellation and transmit precoding technologies to turn a jammed non-connectivity scenario into an operational network. We implement our jamming resilient communication scheme using software-defined radios. Our testbed evaluation shows the destructive power of reactive jamming attack, and also validates the efficacy and efficiency of our defense mechanisms in the presence of numerous types of reactive jammers with different jamming signal powers.

PeerClean: Unveiling peer-to-peer botnets through dynamic group behavior analysis

Advanced botnets adopt a peer-to-peer (P2P) infrastructure for more resilient command and control (C&C). Traditional detection techniques become less effective in identifying bots that communicate via a P2P structure. In this paper, we present PeerClean, a novel system that detects P2P botnets in real time using only high-level features extracted from C&C network flow traffic. PeerClean reliably distinguishes P2P bot-infected hosts from legitimate P2P hosts by jointly considering flow-level traffic statistics and network connection patterns. Instead of working on individual connections or hosts, PeerClean clusters hosts with similar flow traffic statistics into groups. It then extracts the collective and dynamic connection patterns of each group by leveraging a novel dynamic group behavior analysis. Comparing with the individual host-level connection patterns, the collective group patterns are more robust and differentiable. Multi-class classification models are then used to identify different types of bots based on the established patterns. To increase the detection probability, we further propose to train the model with average group behavior, but to explore the extreme group behavior for the detection. We evaluate PeerClean on real-world flow records from a campus network. Our evaluation shows that PeerClean is able to achieve high detection rates with few false positives.

On the Limitation of Embedding Cryptographic Signature for Primary Transmitter Authentication

Recently, an interesting primary transmitter authentication scheme was proposed. The main idea of this scheme is to have the primary transmitter embed cryptographic authentication tag at the physical layer. There are a number of features that make this scheme attractive. In this paper, we investigate the effective coverage areas for the primary and secondary receivers before and after applying this scheme. During the process, we reveal a serious limitation of this scheme, which may prohibit its application in practice.

Proximity-based security using ambient radio signals

In this paper, we propose a privacy-preserving proximity-based security strategy for location-based services in wireless networks, without requiring any pre-shared secret, trusted authority or public key infrastructure. More specifically, radio clients build their location tags according to the unique physical features of their ambient radio signals, which cannot be forged by attackers outside the proximity range. The proximity-based authentication and session key generation is based on the public location tag, which incorporates the received signal strength indicator (RSSI), sequence number and MAC address of the ambient radio packets. Meanwhile, as the basis for the session key generation, the secret location tag consisting of the arrival time interval of the ambient packets, is never broadcast, making it robust against eavesdroppers and spoofers. The proximity test utilizes the nonparametric Bayesian method called infinite Gaussian mixture model, and provides range control by selecting different features of various ambient radio sources. The authentication accuracy and key generation rate are evaluated via experiments using laptops in typical indoor environments.

SigPID: significant permission identification for android malware detection

A recent report indicates that a newly developed malicious app for Android is introduced every 11 seconds. To combat this alarming rate of malware creation, we need a scalable malware detection approach that is effective and efficient. In this paper, we introduce SIGPID, a malware detection system based on permission analysis to cope with the rapid increase in the number of Android malware. Instead of analyzing all 135 Android permissions, our approach applies 3-level pruning by mining the permission data to identify only significant permissions that can be effective in distinguishing benign and malicious apps. SIGPID then utilizes classification algorithms to classify different families of malware and benign apps. Our evaluation finds that only 22 out of 135 permissions are significant. We then compare the performance of our approach, using only 22 permissions, against a baseline approach that analyzes all permissions. The results indicate that when Support Vector Machine (SVM) is used as the classifier, we can achieve over 90% of precision, recall, accuracy, and F-measure, which are about the same as those produced by the baseline approach while incurring the analysis times that are 4 to 32 times smaller that those of using all 135 permissions. When we compare the detection effectiveness of SIGPID to those of other approaches, SIGPID can detect 93.62% of malware in the data set, and 91.4% unknown malware.